Abstract
The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. An attacker can exploit these vulnerabilities to register to the network with the victim’s identity and then launch other attacks. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.
Supported by the National Natural Science Foundation of China (No. 62001055 and 61872386), and the Beijing University of Posts and Telecommunications-China Mobile Research Institute Joint Innovation Center.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
3GPP: Non-access-stratum (nas) protocol for 5g system. Technical Report, 24.501
3GPP: Non-access-stratum (nas) protocol for evolved packet system (eps). Technical Report, 24.301
3GPP: Characteristics of the universal subscriber identity module (usim) application. Technical Report, 31.102
3GPP: 3gpp system architecture evolution (SAE); security architecture. Technical Report, 33.401
3GPP: Security architecture and procedures for 5g system. Technical Report, 33.501
Schneider, P., Horn, G.: Towards 5g security. In: 2015 IEEE Trustcom/BigDataSE/ISPA, pp. 1165–1170. IEEE (2015)
Shaik, A., Borgaonkar, R., Park, S., Seifert, J.P.: New vulnerabilities in 4g and 5g cellular access network protocols: exposing device capabilities. In: 12th Conference on Security and Privacy in Wireless and Mobile Networks, pp. 221–231. ACM (2019)
Zhao, J., Ding, B., Guo, Y., Tan, Z., Lu, S.: Securesim: rethinking authentication and access control for sim/esim. In: 27th Annual International Conference on Mobile Computing and Networking, pp. 451–464. ACM (2021)
Blanchet, B., et al.: Modeling and verifying security protocols with the applied pi calculus and proverif. Found. Trends® Privacy Secur. 1(1–2), 1–135 (2016)
Savoldi, A., Gubian, P.: Sim and usim filesystem: a forensics perspective. In: the 2007 ACM Symposium on Applied Computing, pp. 181–187. ACM (2007)
Nie, S., Zhang, Y., Wan, T., Duan, H., Li, S.: Measuring the deployment of 5g security enhancement. In: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 169–174. ACM (2022)
Lowe, G.: A hierarchy of authentication specifications. In: 10th Computer Security Foundations Workshop, pp. 31–43. IEEE (1997)
Gomez-Miguelez, I., Garcia-Saavedra, A., Sutton, P.D., Serrano, P., Cano, C., Leith, D.J.: srslte: an open-source platform for LTE evolution and experimentation. In: 10th ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization, pp. 25–32. ACM (2016)
Zhou, Z., Han, X., Chen, Z., Nan, Y., Li, J., Gu, D.: Simulation: demystifying (insecure) cellular network based one-tap authentication services. In: 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 534–546. IEEE (2022)
Meyer, U., Wetzel, S.: On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks. In: 15th International Symposium on Personal, Indoor and Mobile Radio Communications, pp. 2876–2883. IEEE (2004)
Rupprecht, D., Kohls, K., Holz, T., Pöpper, C.: Imp4gt: impersonation attacks in 4g networks. In: NDSS (2020)
Zheng, Y., Huang, L., Shan, H., Li, J., Yang, Q., Xu, W.: Ghost Telephonist impersonates you: Vulnerability in 4g LTE CS fallback. In: 2017 IEEE Conference on Communications and Network Security (CNS), pp. 1–9. IEEE (2017)
Liu, J., et al.: Small tweaks do not help: differential power analysis of MILENAGE implementations in 3G/4G USIM cards. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 468–480. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_24
New simjacker vulnerability exploited by surveillance companies for espionage operation. https://simjacker.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Cui, Z., Cui, B., Su, L., Du, H., Wang, H., Fu, J. (2023). Attacks Against Security Context in 5G Network. In: You, I., Kim, H., Angin, P. (eds) Mobile Internet Security. MobiSec 2022. Communications in Computer and Information Science, vol 1644. Springer, Singapore. https://doi.org/10.1007/978-981-99-4430-9_1
Download citation
DOI: https://doi.org/10.1007/978-981-99-4430-9_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-4429-3
Online ISBN: 978-981-99-4430-9
eBook Packages: Computer ScienceComputer Science (R0)